github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Detection Rules] Add 8.5 rules (#142239)

Browse source 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Terrance DeJesus 2022-09-29 16:05:22 -04:00 committed by GitHub
parent 1bf14d7ab8
commit 907c1059ba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
193 changed files with 413 additions and 389 deletions
Download patch file Download diff file Expand all files Collapse all files

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_cloudtrail_logging_created.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_subscription_creation.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_gcp_pub_sub_topic_creation.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_google_drive_ownership_transferred_via_google_workspace.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -86,5 +86,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_google_workspace_custom_gmail_route_created_or_modified.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -86,5 +86,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_microsoft_365_new_inbox_rule.json
View file

@ -27,7 +27,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -110,5 +110,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/collection_update_event_hub_auth_rule.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempted_bypass_of_okta_mfa.json
View file

@ -19,7 +19,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -65,5 +65,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_attempts_to_brute_force_okta_user_account.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -73,5 +73,5 @@
"value": 3
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_aws_iam_assume_role_brute_force.json
View file

@ -21,7 +21,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -86,5 +86,5 @@
"value": 25
},
"type": "threshold",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_azure_full_network_packet_capture_detected.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -74,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_iam_user_addition_to_group.json
View file

@ -24,7 +24,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -92,5 +92,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_key_vault_modified.json
View file

@ -24,7 +24,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -82,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_brute_force_user_account_attempt.json
View file

@ -24,7 +24,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -90,5 +90,5 @@
"value": 10
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_microsoft_365_potential_password_spraying_attack.json
View file

@ -19,7 +19,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -80,5 +80,5 @@
"value": 25
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_okta_brute_force_or_password_spraying.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -78,5 +78,5 @@
"value": 25
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_root_console_failure_brute_force.json
View file

@ -23,7 +23,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
"value": 10
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_secretsmanager_getsecretvalue.json
View file

@ -26,7 +26,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -79,5 +79,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_storage_account_key_regenerated.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -74,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_excessive_sso_logon_errors.json
View file

@ -20,7 +20,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
"value": 5
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/credential_access_user_impersonation_access.json
View file

@ -20,7 +20,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -61,5 +61,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_application_removed_from_blocklist_in_google_workspace.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -102,5 +102,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_deactivate_okta_network_zone.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_attempt_to_delete_okta_network_zone.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_application_credential_modification.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -80,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_automation_runbook_deleted.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -69,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_blob_permissions_modified.json
View file

@ -22,7 +22,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -73,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_diagnostic_settings_deletion.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_azure_service_principal_addition.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -82,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_deleted.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudtrail_logging_suspended.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_cloudwatch_alarm_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_config_service_rule_deletion.json
View file

@ -26,7 +26,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -85,5 +85,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_configuration_recorder_stopped.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -88,5 +88,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_domain_added_to_google_workspace_trusted_domains.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -87,5 +87,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_flow_log_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_ec2_network_acl_deletion.json
View file

@ -27,7 +27,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -90,5 +90,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_creation.json
View file

@ -24,7 +24,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -87,5 +87,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_elasticache_security_group_modified_or_deleted.json
View file

@ -24,7 +24,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -87,5 +87,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_event_hub_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -83,5 +83,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_firewall_policy_deletion.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_frontdoor_firewall_policy_deletion.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_created.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -68,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_deleted.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -68,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_firewall_rule_modified.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -68,5 +69,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_bucket_deletion.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -73,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_logging_sink_deletion.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_subscription_deletion.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_pub_sub_topic_deletion.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_configuration_modified.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -73,5 +74,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_storage_bucket_permissions_modified.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_network_deleted.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -80,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_created.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -76,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_gcp_virtual_private_cloud_route_deleted.json
View file

@ -21,8 +21,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -81,5 +82,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_google_workspace_bitlocker_setting_disabled.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -92,5 +92,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -102,5 +102,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_guardduty_detector_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -88,5 +88,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_kubernetes_events_deleted.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_dlp_policy_removed.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -84,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -83,5 +83,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -84,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -83,5 +83,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_microsoft_365_mailboxauditbypassassociation.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -85,5 +85,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_network_watcher_deletion.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_delete_okta_policy_rule.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_network_zone.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -76,5 +76,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_okta_attempt_to_modify_okta_policy_rule.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -77,5 +77,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_s3_bucket_configuration_deletion.json
View file

@ -28,7 +28,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -84,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suppression_rule_created.json
View file

@ -24,7 +24,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -75,5 +75,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.json
View file

@ -25,7 +25,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -106,5 +106,5 @@
"value": 5
},
"type": "threshold",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_acl_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -83,5 +83,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/defense_evasion_waf_rule_or_rule_group_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -88,5 +88,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_blob_container_access_mod.json
View file

@ -23,7 +23,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/discovery_denied_service_account_request.json
View file

@ -21,7 +21,7 @@
"related_integrations": [
{
"package": "kubernetes",
"version": "1.17.2"
"version": "^1.4.1"
}
],
"required_fields": [
@ -70,5 +70,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 1
"version": 2
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/execution_command_virtual_machine.json
View file

@ -25,7 +25,7 @@
{
"integration": "activitylogs",
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -76,5 +76,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_full_network_packet_capture_detected.json
View file

@ -26,7 +26,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -97,5 +97,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_snapshot_change_activity.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -78,5 +78,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_ec2_vm_export_failure.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -96,5 +96,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_gcp_logging_sink_modification.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_creation.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -84,5 +84,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_microsoft_365_exchange_transport_rule_mod.json
View file

@ -24,7 +24,7 @@
"related_integrations": [
{
"package": "o365",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -85,5 +85,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_export.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -76,5 +76,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/exfiltration_rds_snapshot_restored.json
View file

@ -23,7 +23,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -87,5 +87,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_attempt_to_revoke_okta_api_token.json
View file

@ -22,7 +22,7 @@
"related_integrations": [
{
"package": "okta",
"version": "1.3.0"
"version": "^1.3.0"
}
],
"required_fields": [
@ -68,5 +68,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_aws_eventbridge_rule_disabled_or_deleted.json
View file

@ -24,7 +24,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_azure_service_principal_credentials_added.json
View file

@ -24,7 +24,7 @@
"related_integrations": [
{
"package": "azure",
"version": "0.12.0"
"version": "^1.0.0"
}
],
"required_fields": [
@ -75,5 +75,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudtrail_logging_updated.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -104,5 +104,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_group_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -104,5 +104,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_cloudwatch_log_stream_deletion.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -105,5 +105,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 101
"version": 102
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_ec2_disable_ebs_encryption.json
View file

@ -26,7 +26,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -89,5 +89,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_efs_filesystem_or_mount_deleted.json
View file

@ -25,7 +25,7 @@
{
"integration": "cloudtrail",
"package": "aws",
"version": "1.10.2"
"version": "^1.5.0"
}
],
"required_fields": [
@ -81,5 +81,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_iam_role_deletion.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_deleted.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_service_account_disabled.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -72,5 +73,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

5
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_gcp_storage_bucket_deleted.json
View file

@ -20,8 +20,9 @@
],
"related_integrations": [
{
"integration": "audit",
"package": "gcp",
"version": "1.10.0"
"version": "^2.2.1"
}
],
"required_fields": [
@ -67,5 +68,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

4
x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/impact_google_workspace_admin_role_deletion.json
View file

@ -23,7 +23,7 @@
"related_integrations": [
{
"package": "google_workspace",
"version": "1.2.0"
"version": "^1.2.0"
}
],
"required_fields": [
@ -80,5 +80,5 @@
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 100
"version": 101
}

Some files were not shown because too many files have changed in this diff Show more